Help with NAT Problem from using ASDM software

darrenriley5 · ‎11-30-2010

Hi,

Please could somone help me with a NAT issue. What I would like to do is NAT a device which sits within the F5_LTM interface (10.224.192.0/20).

I need to NAT the source address of 10.224.200.8 to 10.224.192.12 when it hits the inside interface.

I made a change using the asdm software to add the following NAT.

static (F5_LTM_SBS,SBS_Inside) 10.224.200.8 10.224.192.12 netmask 255.255.255.255

As the NAT above was added below the network NAT statement (below) I moved it above this as I thought it would need to hit this first like an access-list. When I did this it prevented traffic from the inside accessing 10.224.192.0/20 network.

static (F5_LTM_SBS,SBS_Inside) 10.224.192.0 10.224.192.0 netmask 255.255.240.0

interface GigabitEthernet1/2
nameif F5_LTM

security-level 50
ip address 10.224.192.255 255.255.240.0

interface GigabitEthernet0/1
nameif Inside
security-level 100

ip address 10.224.1.2 255.255.255.240

Can anyone advice if what I'm trying to achive is possible? Was I correct in trying to move the specific NAT above the less specfic NAT and if so how can I do this on the command line. I think using the ASDM has made additional changes I waasn't aware of.

What do people think of using the ASDM software?

Thanks

Panos Kampanakis · ‎11-30-2010

ASDM is pretty useful for most people. It is worth doing a sanity check for commands it pushes, but users are mostly satified.

As for your nat, if you have 2 statics that conflict (include same ip addresses), then you would need to match the first one and the secnd will not take effect. So what you saw there probably makes sense.

Notice though that if

static (F5_LTM_SBS,SBS_Inside) 10.224.200.8 10.224.192.12 netmask 255.255.255.255

is above

static (F5_LTM_SBS,SBS_Inside) 10.224.192.0 10.224.192.0 netmask 255.255.240.0

then the user 10.224.192.12 will not be translated to itseld when going to SBS_Inside.

I hope it helps.

PK